curl / Mailing Lists / curl-library / Single Mail

curl-library

make "HTTP/0.9" support opt-in ?

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Mon, 2 Jul 2018 12:50:51 +0200 (CEST)

Hi,

We have this bug [1] that shows a short "HTTP/0.9" response and how curl just
then ignores the data it receives.

HTTP/0.9 is the popular name for the never truly named HTTP version that
existed before HTTP/1.0 was born. It has no response headers at all but
instead it just sends data and requires a closed connection to signal the end
of the data.

libcurl supports HTTP/0.9 by default, which might come as a surprise to users.
Around 3% of users in the annual survey claim they use HTTP/0.9 with curl.

I would like to stop allowing HTTP/0.9 by default and instead make the support
opt-in and thus more explicit. I fear the implied support could become a
subtle security risk at some point to some, plus not supporting it will create
a better route forward for treating repsonses such as the one in [1] as an
error and not HTTP/0.9 data.

Does anyone has a use case or reasoning why going this way would be a bad
idea?

[1] = https://github.com/curl/curl/issues/2420

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html

Received on 2018-07-02

This message: [ Message body ]
Next message: Rich Gray: "Re: DEPRECATE.md"
Previous message: James Fuller: "Re: DEPRECATE.md"
Next in thread: Dennis Clarke: "Re: make "HTTP/0.9" support opt-in ?"
Reply: Dennis Clarke: "Re: make "HTTP/0.9" support opt-in ?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]